Claude-skill-registry doppler-workflows
Doppler credential and publishing workflows. TRIGGERS - PyPI publish, AWS credentials, Doppler secrets.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/doppler-workflows" ~/.claude/skills/majiayu000-claude-skill-registry-doppler-workflows && rm -rf "$T"
manifest:
skills/data/doppler-workflows/SKILL.mdsource content
Doppler Credential Workflows
Quick Reference
When to use this skill:
- Publishing Python packages to PyPI
- Rotating AWS access keys
- Managing credentials across multiple services
- Troubleshooting authentication failures (403, InvalidClientTokenId)
- Setting up Doppler credential injection patterns
- Multi-token/multi-account strategies
Core Pattern: Doppler CLI
Standard Usage:
doppler run --project <project> --config <config> --command='<command>'
Why --command flag:
- Official Doppler pattern (auto-detects shell)
- Ensures variables expand AFTER Doppler injects them
- Without it: shell expands
before Doppler runs → empty string$VAR
Quick Start Examples
PyPI Publishing
doppler run --project claude-config --config dev \ --command='uv publish --token "$PYPI_TOKEN"'
AWS Operations
doppler run --project aws-credentials --config dev \ --command='aws s3 ls --region $AWS_DEFAULT_REGION'
Best Practices
- Always use --command flag for credential injection
- Use project-scoped tokens (PyPI) for better security
- Rotate credentials regularly (90 days recommended)
- Document with Doppler notes:
doppler secrets notes set <SECRET> "<note>" - Use stdin for storing secrets:
echo -n 'secret' | doppler secrets set - Test injection before using:
to verify lengthecho ${#VAR} - Multi-token naming:
for claritySERVICE_TOKEN_{ABBREV}
Reference Documentation
For detailed information, see:
- PyPI Publishing - Token setup, publishing, troubleshooting
- AWS Credentials - Rotation workflow, setup, troubleshooting
- Multi-Service Patterns - Multiple PyPI packages, multiple AWS accounts
- AWS Workflow - Complete AWS credential management guide
Bundled Specifications:
- Complete PyPI specPYPI_REFERENCE.yaml
- AWS credential architectureAWS_SPECIFICATION.yaml
Using mise [env] for Local Development (Recommended)
For local development, mise
[env]doppler run# .mise.toml [env] # Fetch from Doppler with caching for performance PYPI_TOKEN = "{{ cache(key='pypi_token', duration='1h', run='doppler secrets get PYPI_TOKEN --project claude-config --config prd --plain') }}" # For GitHub multi-account setups GH_TOKEN = "{{ read_file(path=env.HOME ~ '/.claude/.secrets/gh-token-accountname') | trim }}"
When to use mise [env]:
- Per-directory credential configuration
- Multi-account GitHub setups
- Credentials that persist across commands (not session-scoped)
When to use doppler run:
- CI/CD pipelines
- Single-command credential scope
- When you want credentials auto-cleared after command
See
skill for complete patterns.mise-configuration
PyPI Publishing Policy
<!-- ADR: 2025-12-10-clickhouse-skill-documentation-gaps -->For PyPI publishing, see
skill for LOCAL-ONLY workspace policy.pypi-doppler
Do NOT configure PyPI publishing in GitHub Actions or CI/CD pipelines.